
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF CO^f^lERCE 
United States Patent and Trademark OfHce 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Viiginia 223 1 3- 1 450 
www.uspto.gov 



APPLICATION NO. 



HLING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. 



CONFIRMATION NO. 



09/855,908 



05/15/2001 



Steven Michael Bellovin 



42292 7590 08/1 1/2004 

LAW OFFICE OF JEFFREY M. WEINICK, LLC 
615 WEST MT. PLEASANT AVENUE 
LIVINGSTON, NJ 07039 



2000-0284 



1152 



EXAMINER 



HAYES, JOHN W 



ART UNIT 



PAPER NUMBER 



3621 

DATE MAILED: 08/11/2004 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 





Application No. 

09/855.908 


Applicant(s) 

BELLOVINETAL ^ \. 


Examiner 

John W Hayes 


Art Unit 

3621 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication, 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- tf NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
• Failure to reply within the set or extended period for reply wilt, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment See 37 CFR 1 .704(b). 

Status \ 

1 )^ Responsive to communication{s) filed on 07 May 2004 . \ 
2a)K Tills action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for fomial nnatters. prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) 13 Claim(s) 1-11 and 17-21 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) S Claim{s) 1-11 and 17-21 is/are rejected. 
?)□ Clalm(s) is/are objected to. 

8) n Clalm(s) are subject to restriction and/or election requirement. 

Application Papers 

9) ^ The specification is objected to by the Examiner. 

10)^ The drawing(s) filed on 15 May 2001 is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing{s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the con-ection is required if the drawing(s) is objected to. See 37 CFR 1.121 (d). 
11 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or fomri PTO-152. 

Priority under 35 U.S.C. § 119 

12)0 Acknowledgment Is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



Status of Claims 

1 . Applicant has amended claims 1-9 and 1 1 . added new claims 18-21 and canceled claims 12- 
16 in the amendment filed 7 May 2004. Thus, claims 1-1 1 and 17-21 remain pending and are 
presented for examination. 



Response to Arguments 

2. Applicants argument filed 7 May 2004 have been fully considered but are either not 
persuasive or moot based on the new grounds of rejection. 

3. Applicant argues that Franklin discloses a customer ID account number that is obtained by 
registration and that this customer ID account number is not hidden from the merchant or 
safeguarded against online eavesdropping. Examiner submits that the customer ID number 
taught by Franklin is only used to identify the customer rather than an account number. Franklin 
discloses that the issuing institution only uses the customer ID number to identify the customer 
and to look up the real customer account number which is hidden from the merchant and any 
other persons who may be eavesdropping. 

4. Applicant further argues that Franklin teaches using only a four digit portion of the transaction 
number that contains a MAC that is specific to the online transaction with the merchant while the 
present invention provides a verification by a comparison of "multiple fields or encrypted 
information" with corresponding transaction information provided by the merchant. Examiner 
submits that Franklin teaches a similar method of using multiple fields of information such as 
cardholder data, transaction amount, merchant ID, goods ID, time and transaction date to 
calculate a MAC as a function of the user's private key which would inherently result in encrypted 
infonmation. Franklin specifically discloses that the unique MAC is generated through the use of a 
cryptographic hashing function (Col. 5, lines 32-36). Franklin, however, discloses that the issuing 
institution uses the same cryptographic hashing function to compute a MAC and then compares 
the generated MAC with the MAC provided by the merchant. The present invention differs since 
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it recites matching decoded fields of information with corresponding transaction infonmation rather 
than comparing MACs. Examiner, however, has provided a secondary reference to Walker that 
more clearly discloses this feature. 

Specification 

5. The disclosure is objected to because it contains an embedded hyperlink and/or other form of 
browser-executable code (See page 2, paragraph 0003). Applicant is required to delete the 
embedded hyperlink and/or other form of browser-executable code. See MPEP § 608.01 . 
Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

7. Claims 1-1 1 and 17-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Franklin et al. U.S. Patent No. 6.000,832 in view of Walker et al. U.S. Patent No. 6.163.771. 

As per Claims 1 and 11 Franklin et al disclose a method for facilitating credit card 
transactions over a telecommunications network without disclosing a credit card account number, 
comprising the steps of: 

- receiving from a merchant, via the telecommunications network an encoded temporary 
transaction authorization number for an e-commerce transaction, said temporary transaction 
number having been generated by a user having an account with a credit card issuer, wherein 
said temporary transaction authorization number comprises multiple fields of encrypted 
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information regarding the transaction such as a MAC (Abstract; Col. 2. lines 8-21; Col. 5. lines 25- 
57); 

- retrieving secret information required to generate a similar MAC (Col. 5 line 65-Col. 6 
line 5; Col. 12, lines 10-15); and 

- matching the generated MAC with corresponding information provided by the 
merchant, and thereby verifying the temporary authorization transaction without disclosing the 
credit card account number via the telecommunications network to the merchant (Col. 6, lines 1- 
12; Col. 12, lines 15-25). 

Franklin discloses that the issuing institution uses the same cryptographic hashing 
function to compute a MAC and then compares the generated MAC with the MAC provided by the 
merchant, however, fails to disclose matching decoded fields of information with corresponding 
transaction infonmation as recited in the claims. Walker et al disclose a method for generating a 
single-use financial account number by encrypting multiple fields of information such as a an 
initialization variable, an a-bit account number and a nonce (Col. 7, lines 60-67; Col. 8. lines 8- 
36). Walker further discloses looking up secret information such as the cardholder's private key 
to decrypt the fields of information and compares this infonmation to validate the transaction (Col. 
8, lines 40-67). Walker et al further disclose that instead of encoding the account number as part 
of the credit card number, the name that appears on the card could take the place of the account 
number and further that more bits become available and can be used to encode a timestamp, 
purchase information or even merchant information (Col. 11. lines 8-19). Thus, it would have 
been obvious to one having ordinary skill in the art at the time of applicant's invention to modify 
the invention of Franklin and encrypt multiple fields of infomiation by the user and then decrypt 
this information by the issuing institution and perfonm a comparison to validate the transaction as 
taught by Walker et al. Walker et al provides motivation by indicating that this method would 
ensure a more secure electronic commercial transaction by preventing the merchant or an 
intercepting third party from misusing the credit card information (Col. 3, lines 59-65). 
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As per Claim 2 , Franklin et a! further disclose wherein the corresponding transaction 
information provided by the merchant includes a name and/or address associated with the user 
(Col. 5, lines 29-32). 

As per Claim 3 . Franklin et al further disclose wherein the temporary authorization 
number includes an additional encrypted message authentication code generated from the 
multiple fields of information regarding the transaction using the secret information as a 
cryptographic key (Col. 5. lines 32-43). 

As per Claim 4 . Franklin et al fail to specifically disclose wherein the temporary 
authorization number includes a one-time encrypted password generated from information 
provided by the user and/or the credit card issuer, however, this would have been obvious to one 
having ordinary skill in the art. Franklin et al disclose that customer infomnation is used to 
generate the encrypted MAC (such as customer's name, account number, etc.). however one 
skilled in the art would recognize that these are only examples and that any customer infomnation 
may be used such as a customer password. The motivation would be to provide flexibility and 
provide more security by using different customer information to generate the MAC. 

As per Claims 5, 7 and 17 . Franklin et al disclose a method for facilitating credit card 
transactions over a telecommunications network based on authentication information provided by 
a user having an account with a credit card issuer, comprising the steps of: 

- generating offline a temporary authorization number for the user based on secret 
encoding and encryption information shared with the credit card issuer (Col. 4. lines 55-65; Col. 5. 
lines 25-43); 

- sending via the telecommunications network to an e-commerce merchant from the user 
the temporary authorization number containing the authentication information in a message 
authentication code utilized in a credit card transaction without disclosing a credit card account 
number via the telecommunication network to the merchant (Figure 1 ; Col. 5. lines 27-52); 
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obtaining via the telecommunications network a verification from the credit card issuer 
based on a comparison of a generated MAC and the MAC provided in the temporary 
authorization number using corresponding information regarding the transaction provided by the 
merchant (Col. 5 line 59-Col. 6 line 23). 

Franklin discloses that the issuing institution uses the same cryptographic hashing 
function to compute a MAC and then compares the generated MAC with the MAC provided by the 
merchant, however, fails to disclose matching decoded fields of information with corresponding 
transaction information as recited in the claims. Walker et al disclose a method for generating a 
single-use financial account number by encrypting multiple fields of information such as a an 
initialization variable, an a-bit account number and a nonce (Col. 7, lines 60-67; Col. 8. lines 8- 
36). Walker further discloses looking up secret information such as the cardholder's private key 
to decrypt the fields of information and compares this infomiation to validate the transaction (Col. 
8, lines 40-67). Walker et al further disclose that instead of encoding the account number as part 
of the credit card number, the name that appears on the card could take the place of the account 
number and further that more bits become available and can be used to encode a timestamp. 
purchase information or even merchant information (Col. 11, lines 8-19). Thus, it would have 
been obvious to one having ordinary skill in the art at the time of applicant's invention to modify 
the invention of Franklin and encrypt multiple fields of infomnation by the user and then decrypt 
this infomnation by the issuing institution and perform a comparison to validate the transaction as 
taught by Walker et al. Walker et al provides motivation by indicating that this method would 
ensure a more secure electronic commercial transaction by preventing the merchant or an 
intercepting third party from misusing the credit card information (Col. 3. lines 59-65). 

As per Claims Sand 19-20 . Franklin et al further disclose wherein the multiple encoded 
fields of encrypted information includes as the authentication infomnation a transaction amount, 
date information, account number and merchant ID (Col. 5. lines 25-35). 
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As per Claim 8 . Franklin et al further disclose wherein the temporary authorization 
number Includes an additional encrypted message authentication code generated from the 
multiple fields of infomnation regarding the transaction using the secret information as a 
cryptographic key (Col. 5. lines 32-43). 

As per Claim 9 . Franklin et al fail to specifically disclose wherein the temporary 
authorization number includes a one-time encrypted password generated from information 
provided by the user and/or the credit card issuer, however, this would have been obvious to one 
having ordinary skill in the art. Franklin et al disclose that customer information is used to 
generate the encrypted MAC (such as customer's name, account number, etc.), however one 
skilled in the art would recognize that these are only examples and that any customer infomnation 
may be used such as a customer password. The motivation would be to provide flexibility and 
provide more security by using different customer information to generate the MAC. 

As per Claims 10 and 18 . Franklin et al further disclose wherein the temporary 
authorization number has a fomiat similar to a credit card number (Col. 5. lines 5-1 1 and 42-50). 

As per Claim 21 . Franklin et al further disclose wherein the corresponding transaction 
information provided by the merchant includes a name and/or address associated with the user 
(Col. 5, lines 29-32). 

Conclusion 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS 
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
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THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the 
date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1 .1 36(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the date of this final action. 



9. Examiner's Note: Examiner has cited particular columns and line numbers in the references 
as applied to the claims below for the convenience of the applicant. Although the specified 
citations are representative of the teachings in the art and are applied to the specific limitations 
within the individual claim, other passages and figures may apply as well. It is respectfully 
requested from the applicant, in preparing the responses, to fully consider the references in 
entirety as potentially teaching all or part of the claimed invention, as well as the context of the 
passage as taught by the prior art or disclosed by the examiner. 

10. The prior art previouslv made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

• Demoff et al disclose a system for providing temporary credit authorizations and teach a 
randomly generated credit transaction number and made valid only for the requested transaction 

• Vizcaino discloses an apparatus for securing credit card transactions and teaches producing a 
verification number which is based on a transaction sequence number and an encryption 
algorithm stored in the device as well as a corresponding decryption algorithm stored in a 
verification computer. The verification computer matches a computed transaction sequence 
number to a stored transaction sequence number to verify the transaction. 

• Stambler discloses securing information relevant to a transaction using a variable 
authentication number 

• Flitcroft et al disclose a credit card system and teach providing limited use credit card numbers 
for single or limited use transactions 
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• Canfield discloses a method for verifying credit card transactions and teaches the use of a 
verification code number calculated by the customer and verified by the issuer 

• Penzias discloses a system for fraud protection for credit card transactions and teaches that 
the customer may identify himself by supplying a card number. 
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1 1 . Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to John Hayes whose telephone number is (703)306-5447. The examiner can 
normally be reached Monday through Friday from 5:30 to 3:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor. Jim Trammell. can be reached on (703) 305-9768. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 308-1 113. 

Please address mail to be delivered by the United States Postal Service (USPS) as 

follows: 

Mail Stop 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Please address mail to be delivered by other delivery services (Federal Express (Fed 
Ex). UPS, DHL, Laser, Action. Purolator. etc.) as follows: 

U.S. Patent and Trademark Office 
2011 South Clark Place 
Customer Window, Mail Stop . 



Crystal Plaza Two, Lobby, Room 1B03 
Arlington, Virginia 22202 



or faxed to: 



(703) 872-9306 [Official communications; including 

After Final communications labeled 
"Box AF"] 

(703) 746-5531 [Informal/Draft communications, labeled 

"PROPOSED" or "DRAFT] 

Hand delivered responses should be brought to Crystal Park 5, 2451 Crystal Drive, 

Arlington. VA. 7*^ «oor receptionist. 

W. Hayes ' 
rimary Examiner 
Art Unit 3621 

August 9. 2004 




